Why DMARC is not enough

January 21, 2020

We’ve recently read several articles about the the U.S. Government turning to Domain-based Message Authentication, Reporting and Conformance (DMARC) to improve their email security. This has been led, largely in part, by the Department of Homeland Security’s (DHS) binding operational directive that was issued in October 2017 to enhance email and web security for federal agencies. However, as of mid-January, only 54.7% of federal domains had a working DMARC record.

While implementing DMARC along with other DNS authentication capabilities such as DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) protocols is considered email security best practice, it’s only addressing a small portion of a much larger problem – and like Taylor Swift says, “Band-Aids don’t fix bullet holes”.

Now before we get into how to fill this email security gap, let’s first talk about what DMARC is, in simple terms.

What is DMARC?

According to Wikipedia, DMARC is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations. It is built on top of two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

Matt Morehead also does a great job explaining DMARC in this post. He states, “DMARC ensures that legitimate email is properly authenticating against established DKIM and SPF standards, and that fraudulent activity appearing to come from domains under the organization’s control is blocked.”

So DMARC helps identify and block emails from reaching the recipient(s) that fail authentication. Sounds simple enough, but actually implementing this correctly can be tricky. It also doesn’t fully address the larger problem of the massive amounts of social engineering attacks that are successfully making it to your employees inboxes. As we’ve talked about before, 90%+ of cyber attacks are from social engineering attacks by way of email and there is a 60%+ likelihood that your company will become a victim annually. DMARC can help but isn’t the only solution.

Gaps with DMARC

So where does DMARC fall short? DMARC is designed to protect against direct domain spoofing only. What this means is if the owners/operators of example.com use DMARC to protect that domain, it would have no effect on example.net (notice the “.net” vs. “.com”).  

The other misunderstood aspect of DMARC is that enabling DMARC on your domain, protects your domain from being used in a phishing attack. But to protect your organization against phishing and spear phishing attacks, all domains used in communication with your employees should have DMARC enabled on them. But still only ⅓ of businesses employ DMARC. This makes the security of your organization dependent on other companies communicating with your organization, whether they have DMARC enforced or not.

Furthermore, while impersonating a given domain is a common method used for phishing and other malicious activities, there are other attack vectors that DMARC does not address. For example, DMARC does not address cousin domain attacks (i.e. sending from a domain that looks like the target being abused – e.g. exampl3.com vs. example.com), or display name abuse (i.e. modifying the “From” field to look as if it comes from the target being abused).

Graphus fills the gap

Protecting your organization’s domain is certainly important, however, you still need protection from all other domains that interact with your organization. Graphus fills this gap in your email security by offering a simple, powerful, and automated solution for G Suite and Office 365 users. Whether your organization or domains communicating with your organization have DMARC enabled or not, Graphus protects your business from phishing, spear phishing, spoofing, ransomware, and email scams. It does this by leveraging our patented technology and algorithms and analyzes numerous attributes to build a TrustGraph™. This is a digital fingerprint specifically created for your organization to understand what are trusted communications. As soon as you activate Graphus for your organization it begins building this TrustGraph™ and because we leverage machine learning, it gets smarter over time.

If you’d like to try Graphus out for free, simply click the button below.